vault

package
Version: v6.6.0 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Mar 8, 2022 License: MIT Imports: 28 Imported by: 1

Documentation

Index

Constants

View Source
const (
	// DefaultSessionDuration is the default duration for GetSessionToken or AssumeRole sessions
	DefaultSessionDuration = time.Hour * 1

	// DefaultChainedSessionDuration is the default duration for GetSessionToken sessions when chaining
	DefaultChainedSessionDuration = time.Hour * 8
)

Variables

View Source
var ErrNotFound = keyring.ErrKeyNotFound
View Source
var UseSession = true

UseSession will disable the use of GetSessionToken when set to false

View Source
var UseSessionCache = true

Functions

func FindMasterCredentialsNameFor added in v6.4.0

func FindMasterCredentialsNameFor(profileName string, keyring *CredentialKeyring, config *Config) (string, error)

func FormatKeyForDisplay

func FormatKeyForDisplay(k string) string

func GetUsernameFromSession

func GetUsernameFromSession(cfg aws.Config) (string, error)

GetUsernameFromSession returns the IAM username (or root) associated with the current aws session

func IsCurrentSessionKey

func IsCurrentSessionKey(s string) bool

func IsOIDCTokenKey

func IsOIDCTokenKey(k string) bool

func IsOldSessionKey

func IsOldSessionKey(s string) bool

func IsSessionKey

func IsSessionKey(s string) bool

func NewAssumeRoleProvider

func NewAssumeRoleProvider(credsProvider aws.CredentialsProvider, k keyring.Keyring, config *Config) (aws.CredentialsProvider, error)

NewAssumeRoleProvider returns a provider that generates credentials using AssumeRole

func NewAssumeRoleWithWebIdentityProvider

func NewAssumeRoleWithWebIdentityProvider(k keyring.Keyring, config *Config) (aws.CredentialsProvider, error)

NewAssumeRoleWithWebIdentityProvider returns a provider that generates credentials using AssumeRoleWithWebIdentity

func NewAwsConfig added in v6.4.0

func NewAwsConfig(region, stsRegionalEndpoints string) aws.Config

func NewAwsConfigWithCredsProvider added in v6.4.0

func NewAwsConfigWithCredsProvider(credsProvider aws.CredentialsProvider, region, stsRegionalEndpoints string) aws.Config

func NewEnvironmentCredentialsProvider added in v6.6.0

func NewEnvironmentCredentialsProvider() aws.CredentialsProvider

func NewFederationTokenCredentialsProvider added in v6.4.0

func NewFederationTokenCredentialsProvider(profileName string, k *CredentialKeyring, config *Config) (aws.CredentialsProvider, error)

func NewSSORoleCredentialsProvider

func NewSSORoleCredentialsProvider(k keyring.Keyring, config *Config) (aws.CredentialsProvider, error)

NewSSORoleCredentialsProvider creates a provider for SSO credentials

func NewSessionTokenProvider

func NewSessionTokenProvider(credsProvider aws.CredentialsProvider, k keyring.Keyring, config *Config) (aws.CredentialsProvider, error)

func NewTempCredentialsProvider

func NewTempCredentialsProvider(config *Config, keyring *CredentialKeyring) (aws.CredentialsProvider, error)

NewTempCredentialsProvider creates a credential provider for the given config

Types

type AssumeRoleProvider

type AssumeRoleProvider struct {
	StsClient         *sts.Client
	RoleARN           string
	RoleSessionName   string
	ExternalID        string
	Duration          time.Duration
	Tags              map[string]string
	TransitiveTagKeys []string
	SourceIdentity    string
	Mfa
}

AssumeRoleProvider retrieves temporary credentials from STS using AssumeRole

func (*AssumeRoleProvider) Retrieve

func (p *AssumeRoleProvider) Retrieve(ctx context.Context) (aws.Credentials, error)

Retrieve generates a new set of temporary credentials using STS AssumeRole

type AssumeRoleWithWebIdentityProvider

type AssumeRoleWithWebIdentityProvider struct {
	StsClient               *sts.Client
	RoleARN                 string
	RoleSessionName         string
	WebIdentityTokenFile    string
	WebIdentityTokenProcess string
	ExternalID              string
	Duration                time.Duration
}

AssumeRoleWithWebIdentityProvider retrieves temporary credentials from STS using AssumeRoleWithWebIdentity

func (*AssumeRoleWithWebIdentityProvider) Retrieve

Retrieve generates a new set of temporary credentials using STS AssumeRoleWithWebIdentity

type CachedSessionProvider

type CachedSessionProvider struct {
	SessionKey      SessionMetadata
	CredentialsFunc func(context.Context) (*ststypes.Credentials, error)
	Keyring         *SessionKeyring
	ExpiryWindow    time.Duration
}

CachedSessionProvider retrieves cached credentials from the keyring, or if no credentials are cached retrieves temporary credentials using the CredentialsFunc

func (*CachedSessionProvider) Retrieve

Retrieve returns cached credentials from the keyring, or if no credentials are cached generates a new set of temporary credentials using the CredentialsFunc

type Config

type Config struct {
	// ProfileName specifies the name of the profile config
	ProfileName string

	// SourceProfile is the profile where credentials come from
	SourceProfileName string

	// SourceProfile is the profile where credentials come from
	SourceProfile *Config

	// ChainedFromProfile is the profile that used this profile as it's source profile
	ChainedFromProfile *Config

	// Region is the AWS region
	Region string

	// STSRegionalEndpoints sets STS endpoint resolution logic, must be "regional" or "legacy"
	STSRegionalEndpoints string

	// Mfa config
	MfaSerial       string
	MfaToken        string
	MfaPromptMethod string

	// AssumeRole config
	RoleARN         string
	RoleSessionName string
	ExternalID      string

	// AssumeRoleWithWebIdentity config
	WebIdentityTokenFile    string
	WebIdentityTokenProcess string

	// GetSessionTokenDuration specifies the wanted duration for credentials generated with AssumeRole
	AssumeRoleDuration time.Duration

	// NonChainedGetSessionTokenDuration specifies the wanted duration for credentials generated with GetSessionToken
	NonChainedGetSessionTokenDuration time.Duration

	// ChainedGetSessionTokenDuration specifies the wanted duration for credentials generated with GetSessionToken when chaining
	ChainedGetSessionTokenDuration time.Duration

	// GetFederationTokenDuration specifies the wanted duration for credentials generated with GetFederationToken
	GetFederationTokenDuration time.Duration

	// SSOStartURL specifies the URL for the AWS SSO user portal.
	SSOStartURL string

	// SSORegion specifies the region for the AWS SSO user portal.
	SSORegion string

	// SSOAccountID specifies the AWS account ID for the profile.
	SSOAccountID string

	// SSORoleName specifies the AWS SSO Role name to target.
	SSORoleName string

	// SSOUseStdout specifies that the system browser should not be automatically opened
	SSOUseStdout bool

	// SessionTags specifies assumed role Session Tags
	SessionTags map[string]string

	// TransitiveSessionTags specifies assumed role Transitive Session Tags keys
	TransitiveSessionTags []string

	// SourceIdentity specifies assumed role Source Identity
	SourceIdentity string
}

Config is a collection of configuration options for creating temporary credentials

func (*Config) CanUseGetSessionToken

func (c *Config) CanUseGetSessionToken() (bool, string)

CanUseGetSessionToken determines if GetSessionToken should be used, and if not returns a reason

func (*Config) GetSessionTokenDuration

func (c *Config) GetSessionTokenDuration() time.Duration

func (*Config) HasMfaSerial

func (c *Config) HasMfaSerial() bool

func (*Config) HasRole

func (c *Config) HasRole() bool

func (*Config) HasSSOStartURL

func (c *Config) HasSSOStartURL() bool

func (*Config) HasSourceProfile

func (c *Config) HasSourceProfile() bool

func (*Config) HasWebIdentityTokenFile

func (c *Config) HasWebIdentityTokenFile() bool

func (*Config) HasWebIdentityTokenProcess

func (c *Config) HasWebIdentityTokenProcess() bool

func (*Config) IsChained

func (c *Config) IsChained() bool

func (*Config) SetSessionTags added in v6.3.0

func (c *Config) SetSessionTags(s string) error

SetSessionTags parses a comma separated key=vaue string and sets Config.SessionTags map

func (*Config) SetTransitiveSessionTags added in v6.3.0

func (c *Config) SetTransitiveSessionTags(s string)

SetTransitiveSessionTags parses a comma separated string and sets Config.TransitiveSessionTags

type ConfigFile

type ConfigFile struct {
	Path string
	// contains filtered or unexported fields
}

ConfigFile is an abstraction over what is in ~/.aws/config

func LoadConfig

func LoadConfig(path string) (*ConfigFile, error)

LoadConfig loads and parses a config file. No error is returned if the file doesn't exist

func LoadConfigFromEnv

func LoadConfigFromEnv() (*ConfigFile, error)

LoadConfigFromEnv finds the config file from the environment

func (*ConfigFile) Add

func (c *ConfigFile) Add(profile ProfileSection) error

Add the profile to the configuration file

func (*ConfigFile) ProfileNames

func (c *ConfigFile) ProfileNames() []string

ProfileNames returns a slice of profile names from the AWS config

func (*ConfigFile) ProfileSection

func (c *ConfigFile) ProfileSection(name string) (ProfileSection, bool)

ProfileSection returns the profile section with the matching name. If there isn't any, an empty profile with the provided name is returned, along with false.

func (*ConfigFile) ProfileSections

func (c *ConfigFile) ProfileSections() []ProfileSection

ProfileSections returns all the profile sections in the config

func (*ConfigFile) Save

func (c *ConfigFile) Save() error

type ConfigLoader

type ConfigLoader struct {
	BaseConfig    Config
	File          *ConfigFile
	ActiveProfile string
	// contains filtered or unexported fields
}

ConfigLoader loads config from configfile and environment variables

func (*ConfigLoader) LoadFromProfile

func (cl *ConfigLoader) LoadFromProfile(profileName string) (*Config, error)

LoadFromProfile loads the profile from the config file and environment variables into config

type CredentialKeyring

type CredentialKeyring struct {
	Keyring keyring.Keyring
}

func (*CredentialKeyring) Get

func (ck *CredentialKeyring) Get(credentialsName string) (creds aws.Credentials, err error)

func (*CredentialKeyring) Has

func (ck *CredentialKeyring) Has(credentialsName string) (bool, error)

func (*CredentialKeyring) Keys

func (ck *CredentialKeyring) Keys() (credentialsNames []string, err error)

func (*CredentialKeyring) Remove

func (ck *CredentialKeyring) Remove(credentialsName string) error

func (*CredentialKeyring) Set

func (ck *CredentialKeyring) Set(credentialsName string, creds aws.Credentials) error

type EnvironmentVariablesCredentialsProvider added in v6.6.0

type EnvironmentVariablesCredentialsProvider struct {
}

EnvironmentVariablesCredentialsProvider retrieves AWS credentials available in the OS environment variables

func (*EnvironmentVariablesCredentialsProvider) Retrieve added in v6.6.0

type FederationTokenProvider

type FederationTokenProvider struct {
	StsClient *sts.Client
	Name      string
	Duration  time.Duration
}

FederationTokenProvider retrieves temporary credentials from STS using GetFederationToken

func (*FederationTokenProvider) Retrieve

func (f *FederationTokenProvider) Retrieve(ctx context.Context) (creds aws.Credentials, err error)

Retrieve generates a new set of temporary credentials using STS GetFederationToken

type KeyringProvider

type KeyringProvider struct {
	Keyring         *CredentialKeyring
	CredentialsName string
}

KeyringProvider stores and retrieves master credentials

func NewMasterCredentialsProvider

func NewMasterCredentialsProvider(k *CredentialKeyring, credentialsName string) *KeyringProvider

NewMasterCredentialsProvider creates a provider for the master credentials

func (*KeyringProvider) Retrieve

func (p *KeyringProvider) Retrieve(ctx context.Context) (aws.Credentials, error)

type Mfa

type Mfa struct {
	MfaToken        string
	MfaPromptMethod string
	MfaSerial       string
}

Mfa contains options for an MFA device

func (*Mfa) GetMfaToken

func (m *Mfa) GetMfaToken() (*string, error)

GetMfaToken returns the MFA token

type OIDCTokenCacher

type OIDCTokenCacher interface {
	Get(string) (*ssooidc.CreateTokenOutput, error)
	Set(string, *ssooidc.CreateTokenOutput) error
}

type OIDCTokenData

type OIDCTokenData struct {
	Token      ssooidc.CreateTokenOutput
	Expiration time.Time
}

type OIDCTokenKeyring

type OIDCTokenKeyring struct {
	Keyring keyring.Keyring
}

func (OIDCTokenKeyring) Get

func (OIDCTokenKeyring) Has

func (o OIDCTokenKeyring) Has(startURL string) (bool, error)

func (*OIDCTokenKeyring) Keys

func (o *OIDCTokenKeyring) Keys() (kk []string, err error)

func (OIDCTokenKeyring) Remove

func (o OIDCTokenKeyring) Remove(startURL string) error

func (*OIDCTokenKeyring) RemoveAll

func (o *OIDCTokenKeyring) RemoveAll() (n int, err error)

func (OIDCTokenKeyring) Set

func (o OIDCTokenKeyring) Set(startURL string, token *ssooidc.CreateTokenOutput) error

type ProfileSection

type ProfileSection struct {
	Name                    string `ini:"-"`
	MfaSerial               string `ini:"mfa_serial,omitempty"`
	RoleARN                 string `ini:"role_arn,omitempty"`
	ExternalID              string `ini:"external_id,omitempty"`
	Region                  string `ini:"region,omitempty"`
	RoleSessionName         string `ini:"role_session_name,omitempty"`
	DurationSeconds         uint   `ini:"duration_seconds,omitempty"`
	SourceProfile           string `ini:"source_profile,omitempty"`
	ParentProfile           string `ini:"parent_profile,omitempty"` // deprecated
	IncludeProfile          string `ini:"include_profile,omitempty"`
	SSOStartURL             string `ini:"sso_start_url,omitempty"`
	SSORegion               string `ini:"sso_region,omitempty"`
	SSOAccountID            string `ini:"sso_account_id,omitempty"`
	SSORoleName             string `ini:"sso_role_name,omitempty"`
	WebIdentityTokenFile    string `ini:"web_identity_token_file,omitempty"`
	WebIdentityTokenProcess string `ini:"web_identity_token_process,omitempty"`
	STSRegionalEndpoints    string `ini:"sts_regional_endpoints,omitempty"`
	SessionTags             string `ini:"session_tags,omitempty"`
	TransitiveSessionTags   string `ini:"transitive_session_tags,omitempty"`
	SourceIdentity          string `ini:"source_identity,omitempty"`
}

ProfileSection is a profile section of the config file

func (ProfileSection) IsEmpty

func (s ProfileSection) IsEmpty() bool

type SSORoleCredentialsProvider

type SSORoleCredentialsProvider struct {
	OIDCClient     *ssooidc.Client
	OIDCTokenCache OIDCTokenCacher
	StartURL       string
	SSOClient      *sso.Client
	AccountID      string
	RoleName       string
	UseStdout      bool
}

SSORoleCredentialsProvider creates temporary credentials for an SSO Role.

func (*SSORoleCredentialsProvider) Retrieve

Retrieve generates a new set of temporary credentials using SSO GetRoleCredentials.

type SessionKeyring

type SessionKeyring struct {
	Keyring keyring.Keyring
}

func (*SessionKeyring) Get

func (sk *SessionKeyring) Get(key SessionMetadata) (creds *ststypes.Credentials, err error)

func (*SessionKeyring) GetAllMetadata

func (sk *SessionKeyring) GetAllMetadata() (mm []SessionMetadata, err error)

func (*SessionKeyring) Has

func (sk *SessionKeyring) Has(key SessionMetadata) (bool, error)

func (*SessionKeyring) Keys

func (sk *SessionKeyring) Keys() (kk []SessionMetadata, err error)

func (*SessionKeyring) Remove

func (sk *SessionKeyring) Remove(key SessionMetadata) error

func (*SessionKeyring) RemoveAll

func (sk *SessionKeyring) RemoveAll() (n int, err error)

func (*SessionKeyring) RemoveForProfile

func (sk *SessionKeyring) RemoveForProfile(profileName string) (n int, err error)

func (*SessionKeyring) RemoveOldSessions

func (sk *SessionKeyring) RemoveOldSessions() (n int, err error)

func (*SessionKeyring) Set

type SessionMetadata

type SessionMetadata struct {
	Type        string
	ProfileName string
	MfaSerial   string
	Expiration  time.Time
}

func NewSessionKeyFromString

func NewSessionKeyFromString(s string) (SessionMetadata, error)

func (*SessionMetadata) String

func (k *SessionMetadata) String() string

func (*SessionMetadata) StringForMatching

func (k *SessionMetadata) StringForMatching() string

type SessionTokenProvider

type SessionTokenProvider struct {
	StsClient *sts.Client
	Duration  time.Duration
	Mfa
}

SessionTokenProvider retrieves temporary credentials from STS using GetSessionToken

func (*SessionTokenProvider) GetSessionToken

func (p *SessionTokenProvider) GetSessionToken(ctx context.Context) (*ststypes.Credentials, error)

GetSessionToken generates a new set of temporary credentials using STS GetSessionToken

func (*SessionTokenProvider) Retrieve

Retrieve generates a new set of temporary credentials using STS GetSessionToken

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL